WordPress Comments Import & Export < 2.4.4 – Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting | CVE 2025-3919 | Plugin Vulnerabilities

Description

The WordPress Comments Import & Export plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_settings function in all versions up to, and including, 2.4.3. Additionally, the plugin fails to properly sanitize and escape FTP settings parameters.
This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts on the plugin settings page that will execute whenever an administrative user accesses an injected page.
The vulnerability was partially fixed in version 2.4.3 and fully fixed in version 2.4.4

Affects Plugins

comments-import-export-woocommerce

Fixed in 2.4.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/f8bc8863-04a9-4631-9510-624f98ea1e75

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Jorgson

Verified

No

WPVDB ID

37c9e796-d2c3-41b6-b6d3-c5ed9f07a294

Timeline

Publicly Published

2025-06-02 (about 1 year ago)

Added

2025-06-02 (about 1 year ago)

Last Updated

2025-06-02 (about 1 year ago)

Other

Published

Title

Published

2023-02-13

Title

Cost Calculator <= 1.8 - Contributor+ Stored XSS

Published

2024-08-26

Title

GHActivity <= 2.0.0-alpha - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-11-18

Title

Dynamic URL SEO < 1.2 - Reflected XSS

Published

2026-05-26

Title

Gutenverse < 3.4.7 - Reflected Cross-Site Scripting via 's' Parameter

Published

2025-01-09

Title

Orbit Fox by ThemeIsle < 2.10.44 - Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget